KuCoin’s security team has uncovered a new phishing campaign orchestrated by the Lazarus Group (APT38), the notorious state-sponsored collective renowned for financially motivated cyberespionage.
Armed with government resources and a history of high-profile breaches, Lazarus continues to evolve its tactics to target cryptocurrency and financial institutions worldwide.
Over the last decade, Lazarus has homed in on banks, cryptocurrency exchanges, and related businesses, casting a wide net before zeroing in on high-value victims.
Their hybrid strategy has even ensnared security researchers in past operations to unearth unreported vulnerabilities. By alternating between mass phishing efforts and precision strikes, Lazarus maximizes both reach and impact
Lazarus employs a diverse arsenal of attack vectors:
Spear-phishing campaigns leveraging fake job postings and impersonated emails;
watering-hole compromises of frequently visited sites;
supply-chain intrusions via tainted Git and npm packages;
and highly tailored social engineering tailored to victim profiles.
Their phishing sequences typically initiate on LinkedIn, Telegram, or X, with attackers masquerading as recruiters. Targets are lured into “interview” scenarios, ultimately coerced into running malicious code that harvests credentials and siphons cryptocurrency.
This new campaign exploits CVE-2025-48384, a recently disclosed Git symlink vulnerability. In technical-professional engagements, victims are asked to run a “coding test” by cloning a malicious repository.
During the clone operation, Git follows a symlink in api/db_drivers that points to the repository’s internal modules, executing a planted post-checkout hook. This hook triggers a Node.js backdoor (mongodb.hook.js), establishing a persistent connection for further payload delivery.
In attacks targeting non-technical personnel, threat actors have been using LinkedIn and X (Twitter) to conduct fake interview phishing.
On macOS, the script downloads and installs cdrivMac.sh, a downloader/persistence tool that fetches a ZIP archive (CDrivers.zip) containing a Go-based stealer and the disguised ChAudioFixer.app utility.
A LaunchAgent plist ensures execution on login, enabling password, cookie, and wallet theft.
Lazarus operatives sent LinkedIn messages with counterfeit interview invitations. Victims were redirected to aptiscore.com, where multiple form submissions masked prolonged engagement.
Non-technical targets face a different ruse: a fake video-interview site claiming a “camera driver missing” error. Victims receive repeated pop-ups urging them to execute a shell script.
During the “video call,” victims ran a terminal command fetched from technudge.pr, unknowingly installing the malware.
Analysis of the installer script reveals capabilities for system profiling, remote file control, and credential exfiltration before self-cleaning to evade detection.
Malware Analysis
- A downloader script (
cloud.sh) that selects the correct binary (ARM64 or Intel) and unzips it into~/Library/LaunchAgents. - A Go-compiled stealer that harvests browser cookies and passwords.
- A disguised application (
ChAudioFixer.app) that provides on-demand UI to mislead victims.
On Windows, victims run a PowerShell or CMD command to download cdrivWin.zip, expanding it to %TEMP%cdrivWin. An update.vbs script extracts nvidia.py and executes it via a renamed python.exe (csshost.exe), then registers persistence through a registry key under SoftwareMicrosoftWindowsCurrentVersionRun.
This toolkit shares infrastructure with earlier Lazarus operations, including the npm poisoning incident abusing cors-parser packages and use of Dropbox for Mac exfiltration.
The group’s penchant for URLComponents obfuscation in newer variants demonstrates an ongoing refinement to evade security tools
In addition to the Git symlink exploit, Lazarus continues supply-chain assaults via poisoned npm modules (e.g., matrix-charts, rtkl), compromised private GitHub repositories, and malicious ZIP packages.
Victims are enticed through Telegram-based recruiter profiles, asked to clone GitLab repos with embedded hooks, and subjected to backdoor installation via post-checkout or pre-commit triggers.
Lazarus Group’s latest campaign underscores the persistent threat to cryptocurrency and financial sectors.
Organizations and individuals must reject unsolicited technical tests, scrutinize repository origins, and avoid executing unknown scripts. Vigilance and skepticism remain the first line of defense against these sophisticated phishing and supply-chain attacks.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
